Use integrated identity information to create and manage identities and control access to enterprise resources. We provide identity and access management, single sign–on (SSO), access governance, and more.

Detect and respond to all potential threats quickly and decisively. By monitoring user activities, security events, and critical systems, we provide actionable security intelligence to reduce the risk of data breach.

Get affordable, high-performance disaster recovery. We protect your workloads and help you meet or exceed RPOs and RTOs of an hour or less, with mirroring-like performance at a price point approaching tape.

Output Encoding

[no-glossary]Hi folks,

This is my first contribution to the Novell community. Hope you like it!

My first ever experience with Novell IDM was the installation of the installation of the Delimited Text Driver about 9 months ago (IdM 3.6.1). After taking a glimpse at the policies, something got my attention. In fact something didn’t get my attention because it was missing: output encoding. I never reported this as a bug to the Novell developers team since one could argue this is not a bug but insecure default configuration, a violation to one of the basic security principles: establish secure defaults (see http://www.owasp.org/index.php/Category:Principle)…

Now let’s suppose there’s a user interface / driver without input validation, input sanization, so an evil guy could insert the following string into the name attribute for some user (preferrably himself) in eDirectory:

Great! user01 is now ADMIN, moreover the administrator has role ‘none’! Even without newline character, an attack is possible (but more visible). Take a closer look at this Event: an attacker manages to insert ‘User name”,”ADMIN’ for his name.

The stylesheet generates a CSV file with too many fields but I’m pretty sure very few consuming apps will complain about too many fields. They will just stop processing after the number of expected fields.

Here’s the remediation: output encoding in the output-field template. The XSLT Output transformation now looks like:

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.